Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18820 from alexmacarthur/pii-removal 

PII Issue Prevention - Remove user login from reset password link.
This commit is contained in:
Mike Jolley 2018-03-03 17:19:55 +00:00 committed by GitHub
parent a869f896bf 870338ee5d
commit 46ab27e4e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
includes/class-wc-form-handler.php
View File

@ -40,13 +40,21 @@ class WC_Form_Handler {
} }
/** /**
* Remove key and login from query string, set cookie, and redirect to account page to show the form. * Remove key and user ID (or user login, as a fallback) from query string, set cookie, and redirect to account page to show the form.
*/ */
public static function redirect_reset_password_link() { public static function redirect_reset_password_link() {
if ( is_account_page() && ! empty( $_GET['key'] ) && ! empty( $_GET['login'] ) ) { if ( is_account_page() && isset( $_GET['key'] ) && ( isset( $_GET['id'] ) || isset( $_GET['login'] ) ) ) {
$value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) );
WC_Shortcode_My_Account::set_reset_password_cookie( $value );
// If available, get $user_login from query string parameter for fallback purposes.
if ( isset( $_GET['login'] ) ) {
$user_login = $_GET['login'];
} else {
$user = get_user_by( 'id', absint( $_GET['id'] ) );
$user_login = $user ? $user->user_login : '';
}
$value = sprintf( '%s:%s', wp_unslash( $user_login ), wp_unslash( $_GET['key'] ) );
WC_Shortcode_My_Account::set_reset_password_cookie( $value );
wp_safe_redirect( add_query_arg( 'show-reset-form', 'true', wc_lostpassword_url() ) ); wp_safe_redirect( add_query_arg( 'show-reset-form', 'true', wc_lostpassword_url() ) );
exit; exit;
} }

10
includes/emails/class-wc-email-customer-reset-password.php
View File

@ -19,6 +19,13 @@ if ( ! class_exists( 'WC_Email_Customer_Reset_Password', false ) ) :
*/ */
class WC_Email_Customer_Reset_Password extends WC_Email { class WC_Email_Customer_Reset_Password extends WC_Email {
/**
* User ID.
*
* @var integer
*/
public $user_id;
/** /**
* User login name. * User login name.
* *
@ -92,6 +99,7 @@ class WC_Email_Customer_Reset_Password extends WC_Email {
if ( $user_login && $reset_key ) { if ( $user_login && $reset_key ) {
$this->object = get_user_by( 'login', $user_login ); $this->object = get_user_by( 'login', $user_login );
$this->user_id = $this->object->ID;
$this->user_login = $user_login; $this->user_login = $user_login;
$this->reset_key = $reset_key; $this->reset_key = $reset_key;
$this->user_email = stripslashes( $this->object->user_email ); $this->user_email = stripslashes( $this->object->user_email );
@ -114,6 +122,7 @@ class WC_Email_Customer_Reset_Password extends WC_Email {
public function get_content_html() { public function get_content_html() {
return wc_get_template_html( $this->template_html, array( return wc_get_template_html( $this->template_html, array(
'email_heading' => $this->get_heading(), 'email_heading' => $this->get_heading(),
'user_id' => $this->user_id,
'user_login' => $this->user_login, 'user_login' => $this->user_login,
'reset_key' => $this->reset_key, 'reset_key' => $this->reset_key,
'blogname' => $this->get_blogname(), 'blogname' => $this->get_blogname(),
@ -132,6 +141,7 @@ class WC_Email_Customer_Reset_Password extends WC_Email {
public function get_content_plain() { public function get_content_plain() {
return wc_get_template_html( $this->template_plain, array( return wc_get_template_html( $this->template_plain, array(
'email_heading' => $this->get_heading(), 'email_heading' => $this->get_heading(),
'user_id' => $this->user_id,
'user_login' => $this->user_login, 'user_login' => $this->user_login,
'reset_key' => $this->reset_key, 'reset_key' => $this->reset_key,
'blogname' => $this->get_blogname(), 'blogname' => $this->get_blogname(),

2
templates/emails/customer-reset-password.php
View File

@ -29,7 +29,7 @@ if ( ! defined( 'ABSPATH' ) ) {
<p><?php _e( 'If this was a mistake, just ignore this email and nothing will happen.', 'woocommerce' ); ?></p> <p><?php _e( 'If this was a mistake, just ignore this email and nothing will happen.', 'woocommerce' ); ?></p>
<p><?php _e( 'To reset your password, visit the following address:', 'woocommerce' ); ?></p> <p><?php _e( 'To reset your password, visit the following address:', 'woocommerce' ); ?></p>
<p> <p>
<a class="link" href="<?php echo esc_url( add_query_arg( array( 'key' => $reset_key, 'login' => rawurlencode( $user_login ) ), wc_get_endpoint_url( 'lost-password', '', wc_get_page_permalink( 'myaccount' ) ) ) ); ?>"> <a class="link" href="<?php echo esc_url( add_query_arg( array( 'key' => $reset_key, 'id' => $user_id ), wc_get_endpoint_url( 'lost-password', '', wc_get_page_permalink( 'myaccount' ) ) ) ); ?>">
<?php _e( 'Click here to reset your password', 'woocommerce' ); ?></a> <?php _e( 'Click here to reset your password', 'woocommerce' ); ?></a>
</p> </p>
<p></p> <p></p>

2
templates/emails/plain/customer-reset-password.php
View File

@ -28,7 +28,7 @@ echo sprintf( __( 'Username: %s', 'woocommerce' ), $user_login ) . "\r\n\r\n";
echo __( 'If this was a mistake, just ignore this email and nothing will happen.', 'woocommerce' ) . "\r\n\r\n"; echo __( 'If this was a mistake, just ignore this email and nothing will happen.', 'woocommerce' ) . "\r\n\r\n";
echo __( 'To reset your password, visit the following address:', 'woocommerce' ) . "\r\n\r\n"; echo __( 'To reset your password, visit the following address:', 'woocommerce' ) . "\r\n\r\n";
echo esc_url( add_query_arg( array( 'key' => $reset_key, 'login' => $user_login ), wc_get_endpoint_url( 'lost-password', '', wc_get_page_permalink( 'myaccount' ) ) ) ) . "\r\n"; echo esc_url( add_query_arg( array( 'key' => $reset_key, 'id' => $user_id ), wc_get_endpoint_url( 'lost-password', '', wc_get_page_permalink( 'myaccount' ) ) ) ) . "\r\n";
echo "\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n"; echo "\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n";